Threat Research

SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion

Cyble
SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion

SURXRAT is an actively developed Android Remote Access Trojan marketed via a Telegram-based MaaS ecosystem (SURXRAT V5) that evolved from ArsinkRAT, abuses Accessibility permissions, and uses a Firebase Realtime Database backend to exfiltrate extensive user data and perform remote device control and locking. The latest variants conditionally download a >23GB LLM module from Hugging Face—triggered by specific game package names—indicating experimentation with AI-driven capabilities, performance manipulation, and expanded monetization. #SURXRAT #ArsinkRAT

Keypoints

  • SURXRAT is sold openly on Telegram under a tiered reseller/partner licensing model (SURXRAT V5), enabling affiliates to generate customized builds and scale distribution.
  • Code references and functional overlap indicate SURXRAT likely evolved from the ArsinkRAT family, accelerating feature development and reuse of Android RAT frameworks.
  • The malware abuses Accessibility permissions and requests high-risk permissions to enable persistent surveillance and automated remote actions without continuous user interaction.
  • SURXRAT uses a Firebase Realtime Database (hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com) as its C2, registering devices via UUIDs and exfiltrating contacts, SMS, call logs, location, and other sensitive data.
  • Remote-control features include audio recording, camera capture, clipboard access, remote calls/SMS, wallpaper changes, device locking with ransomware-style screen locker, and complete storage wipe.
  • New behavior includes conditional download of a >23GB LLM from Hugging Face when targeted gaming apps are active (e.g., Free Fire packages), suggesting AI experimentation for evasion, disruption, or monetization.

MITRE Techniques

  • [T1624.001 ] Event Triggered Execution: Broadcast Receivers – SURXRAT registered the BOOT_COMPLETED broadcast receiver to activate the screen locker activity (‘registered the BOOT_COMPLETED broadcast receiver to activate the screen locker activity’).
  • [T1541 ] Foreground Persistence – SURXRAT uses foreground services by showing a notification (‘SURXRAT uses foreground services by showing a notification’).
  • [T1629.001 ] Impair Defenses: Prevent Application Removal – SURXRAT prevents uninstallation to maintain presence (‘Prevent uninstallation’).
  • [T1406 ] Obfuscated Files or Information – SURXRAT uses Base64 encoding for stolen files before exfiltration (‘SURXRAT uses a Base64 encoding to encode the stolen files and send them to the Telegram Bot’).
  • [T1517 ] Access Notifications – SURXRAT collects device notifications to harvest data (‘SURXRAT collects device notifications’).
  • [T1418 ] Software Discovery – SURXRAT retrieves the list of installed applications (‘SURXRAT collects the installed application list’).
  • [T1426 ] System Information Discovery – SURXRAT collects detailed device metadata (‘SURXRAT collects the device information’).
  • [T1421 ] System Network Connections Discovery – SURXRAT collects cell and Wi‑Fi information (‘SURXRAT collects cell and wifi information’).
  • [T1420 ] File and Directory Discovery – SURXRAT enumerates external storage to identify files for exfiltration (‘SURXRAT Enumerates external storage’).
  • [T1414 ] Clipboard Data – SURXRAT collects clipboard content (‘SURXRAT collects Clipboard Data’).
  • [T1429 ] Audio Capture – SURXRAT can capture audio using device microphones (‘SURXRAT can capture audio’).
  • [T1533 ] Data from Local System – SURXRAT collects files from external storage (‘SUXRAT collects files from external storage’).
  • [T1430 ] Location Tracking – SURXRAT collects the victim’s location (‘SURXRAT Can collect location’).
  • [T1636.002 ] Protected User Data: Call Log – SURXRAT collects call logs (‘SURXRAT Collects call log’).
  • [T1636.003 ] Protected User Data: Contact List – SURXRAT collects contact data (‘Collects contact data’).
  • [T1636.004 ] Protected User Data: SMS Messages – SURXRAT collects SMS data (‘Collects SMS data’).
  • [T1636.005 ] Protected User Data: Accounts – SURXRAT collects Gmail account information (‘SUXRAT collects Gmail account data’).
  • [T1512 ] Video Capture (Camera) – SURXRAT captures photos using the device camera (‘SURXRAT Captures photos using the device camera’).
  • [T1437.001 ] Application Layer Protocol: Web Protocols – Malware communicates over HTTPS to its backend (‘Malware uses HTTPs protocol’).
  • [T1646 ] Exfiltration Over C2 Channel – SURXRAT sends collected data to the Firebase C2 server (‘SURXRAT sends collected data to the C&C server’).
  • [T1582 ] SMS Control – SURXRAT can send SMS messages from the infected device (‘SURXRAT can send SMSs from the infected device’).
  • [T1616 ] Call Control – SURXRAT can initiate phone calls from the infected device (‘SURXRAT can make calls’).
  • [T1662 ] Data Destruction – SURXRAT can wipe external storage to destroy victim data (‘Wipe external storage’).

Indicators of Compromise

  • [URL / Domain ] Firebase C2 backend – hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com (used for device registration, command polling, and data exfiltration).
  • [App Package ] Targeted application package names used to trigger conditional LLM download – com.dts.freefiremax, com.dts.freefireth (download triggered when these games are active or when backend-specified package names match).
  • [Hosting Repository ] LLM model host – Hugging Face model repository (SURXRAT downloads a >23GB LLM module from Hugging Face for AI-related experiments and performance manipulation).
  • [Malware Samples / Code Artifacts ] Sample identifiers and source-code references – more than 180 SURXRAT-related samples observed, and explicit ‘ArsinkRAT’ string found in code (indicating code reuse and evolution).

Read more: https://cyble.com/blog/surxrat-downloads-large-llm-module-from-hugging-face/